IT Security Professionals and CISSP exam candidates find the field of Risk Management and Security Metrics tough to navigate. What we have in the world of risk management in the IT and security world today is a bit of a mess. Read what world renowned Security and CISSP expert, Shon Harris, has to say about security metrics in the fifth of a five-part article series. This article discusses the importance of understanding the need to develop or select metrics and their implementation. Metrics are not the sexiest part of security, but one of the most important if we really want to understand where we are, where we need to go and how to get there.

From the author of

From the author of

Metrics are tools that should be used to aid in decision making, and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data.

Security metrics are based on security performance goals and objectives. Security performance goals state the desired results of implementation of a security program. Security performance objectives, in turn, enable the accomplishment of goals. They do this by identifying practices defined by policies, standards and procedures that direct consistent implementation of data protection controls across the organization.

The policies, standards, and procedures describe the controls (technology, process, administrative) that should be in place, and metrics provide insight into the implementation, efficiency, effectiveness, and business impact of these controls. Before beginning the process of developing a security metric program, an organization first needs to get the proper policies, standards, and procedures developed and in placeotherwise there is nothing to use as benchmarks.

Security metrics monitor the accomplishment of the goals and objectives outlined in the stated documents. They accomplish this by quantifying the level of implementation of the security controls and the effectiveness and efficiency of the controls, analyzing the adequacy of security activities, and identifying possible improvement actions.

The following matters must be considered during development and implementation of a security metrics program:

Metrics must be useful for tracking performance and directing resources.

The metrics development process, as described below, ensures that metrics are developed with the purpose of identifying causes of poor performance, and that they therefore point to appropriate corrective actions.

Types

An organization should develop and collect metrics of three types:

Implementation metrics to measure implementation of security controls

Effectiveness/efficiency metrics to measure the results of security controls

Impact metrics to measure the impact on business or mission of security events

The types of metrics that can realistically be obtained and are useful for performance improvement depend on the maturity of the organization’s security program. Although different types of metrics can be used simultaneously, the primary focus of security metrics shifts as the implementation of security controls matures.

NOTE

The development and implementation of a metric program takes precision, discipline, and focus. The development and roll out of a metrics program takes a lot of time and effort in the beginning, but once it is implemented, the workload of its maintenance reduces.

It cannot be emphasized enough that great diligence must be taken when developing initial metrics. Capturing the wrong type of data ends up in a waste of time and resources. Capturing partial data shows only part of the story. And capturing data that does not have supportive evidence provides a false sense of security.